From nobody@FreeBSD.ORG Sat Aug 19 02:33:02 2000 Return-Path: Received: by hub.freebsd.org (Postfix, from userid 32767) id DE14837B423; Sat, 19 Aug 2000 02:33:02 -0700 (PDT) Message-Id: <20000819093302.DE14837B423@hub.freebsd.org> Date: Sat, 19 Aug 2000 02:33:02 -0700 (PDT) From: markm68k@yahoo.com Sender: nobody@FreeBSD.ORG To: freebsd-gnats-submit@FreeBSD.org Subject: errant firewall rule response X-Send-Pr-Version: www-1.0 >Number: 20714 >Category: misc >Synopsis: errant firewall rule response >Confidential: no >Severity: serious >Priority: high >Responsible: ru >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Aug 19 02:40:00 PDT 2000 >Closed-Date: Thu Aug 31 07:40:07 PDT 2000 >Last-Modified: Thu Aug 31 07:48:11 PDT 2000 >Originator: Mark Miller >Release: 4.1-RELEASE >Organization: >Environment: FreeBSD myhost 4.1-RELEASE FreeBSD 4.1-RELEASE #7: Mon Aug 14 21:32:29 PDT 2000 me@myhost:/usr/src/sys/compile/MYHOST i386 >Description: Setting up a firewall rule to send the icmp unreachable for a tcp connection causes the icmp response that is sent to say that the firewall itself is unreachable. >How-To-Repeat: 1. install FreeBSD 4.1-RELEASE 2. configure an "open" firewall 3. configure a natd alias internal interface. 3. add a "unreach host-prohib" rule (e.g. telnet) 4. from a computer connected to the FreeBSD computer behind a natd connection, try to connect to the unreachable host via tcp (e.g. telnet) 5. watch the results from tcpdump. >Fix: unknown. >Release-Note: >Audit-Trail: From: Ruslan Ermilov To: markm68k@yahoo.com Cc: bug-followup@FreeBSD.org Subject: Re: misc/20714: errant firewall rule response Date: Mon, 21 Aug 2000 15:20:13 +0300 On Sat, Aug 19, 2000 at 02:33:02AM -0700, markm68k@yahoo.com wrote: > > FreeBSD myhost 4.1-RELEASE FreeBSD 4.1-RELEASE #7: Mon Aug 14 21:32:29 PDT 2000 me@myhost:/usr/src/sys/compile/MYHOST i386 > > Setting up a firewall rule to send the icmp unreachable for a tcp connection > causes the icmp response that is sent to say that the firewall itself is > unreachable. > > 1. install FreeBSD 4.1-RELEASE > 2. configure an "open" firewall > 3. configure a natd alias internal interface. > 3. add a "unreach host-prohib" rule (e.g. telnet) > 4. from a computer connected to the FreeBSD computer behind a natd > connection, try to connect to the unreachable host via tcp (e.g. telnet) > 5. watch the results from tcpdump. > I cannot reproduce this. Could you please send me (in private mail) the output of `ifconfig -a inet', `ipfw list', `grep natd_ /etc/rc.conf*' and `tcpdump' output? -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age State-Changed-From-To: open->feedback State-Changed-By: sheldonh State-Changed-When: Tue Aug 22 08:11:36 PDT 2000 State-Changed-Why: Ruslan asked for feedback. Responsible-Changed-From-To: freebsd-bugs->ru Responsible-Changed-By: sheldonh Responsible-Changed-When: Tue Aug 22 08:11:36 PDT 2000 Responsible-Changed-Why: Ruslan asked for feedback in private, so nobody else is going to know when developments progress. http://www.freebsd.org/cgi/query-pr.cgi?pr=20714 State-Changed-From-To: feedback->closed State-Changed-By: ru State-Changed-When: Thu Aug 31 07:40:07 PDT 2000 State-Changed-Why: Though there are some issues to be addressed with how libalias(3) handles outgoing ICMP messages, this particular misbehavior was caused by improper firewall configuration. The originator confirms (in private email) that the problems disappeared after supplying a proper ruleset for firewall: On Wed, Aug 23, 2000 at 10:16:09AM -0700, Mark Miller wrote: > > > But there are still some issues with your setup. > > Natd(8) was designed to be run on `public' interface, not > > the `internal' one, while in your case they are the same (ep0). > > Such a configuration requires a special ruleset to work properly. > > Replace your single `divert' rule with the following two ones > > and let me know whether it works for you: > > > > ipfw add 50 divert natd ip from 192.168.1.0/24 to not 192.168.1.0/24 out via ep0 > > ipfw add 50 divert natd ip from any to X.194.243.192 in via ep0 > > This works great! I have noticed a significant improvement in efficiency > when accessing many different sites on the internet. http://www.freebsd.org/cgi/query-pr.cgi?pr=20714 >Unformatted: